[00:00.640 --> 00:04.980]  Hello and welcome, this is ER Pwnage, Threat Simulation Against SAP.
[00:04.980 --> 00:08.820]  This is a talk being given to the Red Team Village at DEF CON 28.
[00:08.920 --> 00:13.300]  Unfortunately with Corona going around, we can't really meet in person and talk through this.
[00:13.300 --> 00:15.580]  But, let's try to make the best of it.
[00:15.580 --> 00:19.300]  Hopefully you can get something out of this talk on targeting SAP.
[00:20.640 --> 00:22.000]  Alright, so who am I?
[00:22.000 --> 00:24.560]  My name is Austin Mark, I'm a Reformed Basis Admin.
[00:24.560 --> 00:28.520]  Basis Admin is just the sysadmin of the SAP world.
[00:28.520 --> 00:32.980]  So they might do implementations, migrations, upgrades, stuff like that.
[00:33.020 --> 00:37.960]  So I got out of that, went into doing full-time pen testing a number of years ago.
[00:37.960 --> 00:39.940]  And I've been employed at RSM.
[00:40.600 --> 00:44.520]  You've got my website, amark.com, my Twitter, and then my GitHub.
[00:44.740 --> 00:48.060]  And I go by the handle Cryo, and I have for quite some time.
[00:49.380 --> 00:50.800]  Cool, so what is this?
[00:50.800 --> 00:54.620]  This is Anthology, this is a talk being given to the Red Team Village.
[00:54.620 --> 00:57.480]  It's a lightning talk about SAP.
[00:57.480 --> 01:02.960]  Anthology is just a collection of talks that I'm giving this year and hopefully for years to come.
[01:02.960 --> 01:07.400]  This is just how I organize my talks and make sure things are easy to digest.
[01:07.400 --> 01:09.920]  And if you're interested in one topic, maybe you're interested in another.
[01:10.600 --> 01:11.700]  What is the goal?
[01:11.700 --> 01:15.980]  The goal of this talk is to provide Red Teams with enough knowledge to target SAP.
[01:16.320 --> 01:18.860]  And kind of strike a balance between the new and the practical.
[01:18.860 --> 01:20.960]  Things that are tried and true and aren't going anywhere.
[01:20.960 --> 01:26.660]  But then also speak at least briefly to some of the new and exciting techniques or exploits that we're seeing today.
[01:26.660 --> 01:28.180]  Why SAP?
[01:28.340 --> 01:31.360]  Because it's unnecessarily complex, in my opinion.
[01:31.360 --> 01:33.400]  Difficult to update and business critical.
[01:33.500 --> 01:37.180]  Some of what we're going to talk about here can be applied to other ERPs.
[01:37.320 --> 01:39.040]  But we'll be focused on SAP.
[01:39.060 --> 01:45.220]  They have allegedly well over 120,000 installations worldwide.
[01:45.740 --> 01:53.220]  But some of the techniques that we'll be presenting on here can be applied to any ERP or anything you're attempting to target.
[01:53.220 --> 01:57.300]  So some of this is going to be kind of ERP agnostic or target agnostic.
[01:57.560 --> 02:03.460]  But really we're going to try to dive deep into SAP and focus mostly on that ERP.
[02:03.920 --> 02:08.680]  So the goal of this talk is to walk through some of those tried and true techniques.
[02:09.060 --> 02:14.060]  And review some of those vulnerabilities and give you a jumping off point for attacking SAP.
[02:16.720 --> 02:18.360]  Alright, so onto the agenda.
[02:18.360 --> 02:19.520]  What are we going to cover?
[02:19.520 --> 02:22.340]  We're going to talk really quickly about what SAP is.
[02:22.340 --> 02:23.840]  How we get into SAP.
[02:24.340 --> 02:27.720]  What if we want to get out of SAP and maybe move laterally?
[02:27.860 --> 02:30.360]  And then what the impact of some of what we're doing is.
[02:30.360 --> 02:33.480]  So as red teamers, maybe sometimes we just care about access.
[02:33.480 --> 02:38.300]  We should be able to at least speak to what the impact is to the business and what we are able to get access to.
[02:38.320 --> 02:39.840]  Alright, so what is SAP?
[02:39.840 --> 02:42.940]  SAP is an ERP. It's a suite of enterprise tools for management.
[02:43.620 --> 02:45.420]  Enterprises have to store it all somewhere.
[02:45.960 --> 02:48.280]  And SAP wants to be that single point of truth.
[02:48.500 --> 02:53.280]  So if you can manipulate that single point of truth, the impact can be pretty substantial.
[02:54.220 --> 02:57.480]  Alright, and lastly, how do we get into SAP?
[02:57.480 --> 03:03.320]  So there are a number of recent exploits that have been released, including 10K Blaze, Recon, etc.
[03:04.100 --> 03:07.400]  These are going to take a while for a lot of businesses to patch.
[03:07.500 --> 03:15.960]  Many SAP systems don't go through the standard patch Tuesday that you see with other back-end systems that support a business.
[03:16.020 --> 03:23.100]  They tend to wait for a support pack or something that will effectively patch all of this at once.
[03:23.100 --> 03:25.040]  With minimal downtime.
[03:25.160 --> 03:33.100]  In the case of 10K Blaze, orgs have regularly mispatched or applied what they believe to be a patch without adjusting their ACLs.
[03:33.100 --> 03:37.060]  And this vulnerability is unlikely to go away anytime soon.
[03:37.360 --> 03:38.640]  But we are red teaming here.
[03:38.640 --> 03:43.500]  We really don't rely on poor patching practices to gain access and move laterally.
[03:43.500 --> 03:49.580]  Tried and true techniques such as session hijacking, credential harvesting, and phishing haven't exactly gone by the wayside.
[03:49.580 --> 03:54.400]  Lastly, we'll talk a little bit about some of the impact of getting access into SAP.
[03:54.520 --> 04:01.080]  Where it might help you elevate your privileges or crack picker passwords or even pivot into a new exciting network.
[04:02.380 --> 04:05.420]  Alright, finding SAP. So where's the fun at?
[04:05.420 --> 04:10.760]  The SAP router is something that we regularly find because SAP requires it for support.
[04:10.760 --> 04:16.200]  So if you're trying to get support from SAP, you have to have this router installed and exposed to the web.
[04:16.200 --> 04:31.320]  Also, we regularly find web services that are disclosing the exact landscape, OS patch level, services running on the SAP internal infrastructure, and of course, LinkedIn.
[04:31.320 --> 04:41.340]  We have third party contractors all the time that are disclosing the exact client they're working for, what they implemented, what patch level they moved everything to, and support packs.
[04:41.340 --> 04:49.020]  Some of them are even kind enough to explain exactly what security systems have been implemented in the case of the consultant on the very bottom.
[04:49.760 --> 04:54.900]  But kind of the same thing that you would do for any other type of red team or any other type of investigation.
[04:55.160 --> 05:04.280]  There are some SAP specific services and background information that you can use to just further inform where you're going to target if you're trying to get into SAP.
[05:05.600 --> 05:10.320]  Alright, so moving on to some common exploits. 10k Blaze. I don't think this is going anywhere.
[05:10.320 --> 05:14.640]  10k Blaze is what I like to think of as the MS-17-010 of the SAP world.
[05:14.840 --> 05:20.220]  It gives you full-blown RCE. You can find it pretty much anywhere and the impact is typically severe.
[05:20.740 --> 05:24.600]  What's worse than MS-17, it's difficult and can be confusing for a business to patch.
[05:24.600 --> 05:38.120]  Great research and proof-of-concepts were published by Dimitri and Matthew for what was actually an older vulnerability that got a lot of attention during the proof-of-concepts and during the talk they gave at Opcode.
[05:38.840 --> 05:44.800]  At the bottom of the screen, you've got a one-liner to dump hashes from the database.
[05:44.800 --> 06:01.160]  This is a fully anonymous, no authentication required, command execution vulnerability within SAP that without appropriate ACLs put in place, you're going to get code execution as SIDADM.
[06:01.160 --> 06:18.280]  The SIDADM user is effectively the SAP administrator, so you have full access, full rights to add users, dump tables, you essentially have full control over the SAP system at that point.
[06:18.660 --> 06:26.240]  Recon, the new hotness. A few Onapsis researchers identified in DisclosedCV 2020-6287 and 6286.
[06:26.240 --> 06:36.460]  Both of these are impacting the SAP NetWeaver Java Stack application servers. These servers are regularly exposed to the web. That's a big part of why this is a concerning vulnerability.
[06:36.860 --> 06:50.380]  Proof-of-concepts were developed and released by Dimitri, same individual who also released 10k Blaze. This proof-of-concept was later built upon by Zero Steiner and that proof-of-concept has since been merged into Metasploit.
[06:50.380 --> 07:01.560]  The POC adds an administrative user that can then take full control of the SAP Java system. The vulnerability relies on an authentication bypass and the application configuration wizard.
[07:01.560 --> 07:12.120]  The fix is a little bit more straightforward than 10k Blaze. You can simply patch or disable the LM manager altogether. And if you are to do that, you're relatively safe.
[07:12.120 --> 07:25.020]  The high risk of this is that while 10k Blaze is typically only seen on internal networks and relies on a weakness in, say, the SAP router ACL, this is something that's just directly exposed to the web.
[07:25.020 --> 07:36.140]  And it's gotten a lot of attention from bug bounty hunters who are going out and creating proof-of-concept admin users and disclosing them to companies. It's probably a little risky for that to be going on on some of your business critical systems.
[07:37.920 --> 07:50.360]  Alright, so fast-tracking your career as a basis admin. SAP Vaulns are fun, but there are plenty of ways to get initial access. We do Red Team stuff, we aren't here to be limited by a couple Vaulns or patch management.
[07:50.380 --> 07:57.040]  If you have a target, or you want to have a target, basis admins are probably one of the best targets for getting substantial access into SAP.
[07:57.040 --> 08:10.300]  Basis is just a fancy word for SAP admin. Sometimes they have special admin access, sometimes special network access, but they definitely have the rights that we're after.
[08:10.640 --> 08:19.320]  And typically they're over-provisioned with roles like SAP All, which is effectively domain administrator for SAP admins.
[08:19.840 --> 08:26.720]  One of my go-to's and tried-and-true techniques is RDP hijacking, a basis session. Still works in most environments.
[08:26.940 --> 08:38.760]  Getting that level of access typically means that we're going to go down the AD pen testing road, and I don't want to talk too much about that here, but RDP hijacking is still super useful in environments, and not just for SAP.
[08:38.760 --> 08:51.980]  This is something that we've used plenty of times when we're trying to get access into another ERP that might be the target, and we might not have the software that's required, even if we have credentials, to log into those systems.
[08:52.980 --> 08:58.980]  If your access permissions and rights are my access permissions and rights, I'll get where I need to go at the end of the day.
[09:00.480 --> 09:08.600]  Regularly, you'll find these basis administrators in their own group inside of Active Directory. That should really narrow down where you're trying to target.
[09:08.860 --> 09:18.140]  And they regularly post contact information on an intranet. That should also give you a couple directing points on where you can go find some of these users.
[09:18.940 --> 09:26.820]  We also have a couple RDP hijacking demos here on the right that I've pulled off with DoublePulsar.
[09:27.480 --> 09:39.460]  Just in case you're not familiar with RDP hijacking, there is a Mimikatz module for it as well. I believe this works all the way up to Server 2016.
[09:42.470 --> 09:48.710]  So, we've got him hijacking a session. He's got some sort of IOWAs here first.
[09:48.710 --> 10:00.590]  Really, what you're doing is you're just stealing a session. And you're assuming the admin is still logged in, doing his work, even if the credentials are MFA'd or anything else, you have their session at that point.
[10:00.590 --> 10:01.450]  Alright, cool.
[10:03.290 --> 10:12.210]  Alright, phishing SAP users. Phishing is still consistently and regularly one of our most successful paths for initial access.
[10:12.210 --> 10:24.090]  Excel macros continue to be useful, but if you have SAP GUI scripting enabled, which it almost always is in my experience, they work particularly well for phishing for initial access directly into SAP.
[10:24.590 --> 10:36.210]  SAP Excel macros aren't going to have the common indicators of compromise that you would see when you're trying to phish for getting a C2 directly into memory.
[10:36.990 --> 10:45.830]  Sure, there's a macro with an IPv4 or hostname pattern, and an OLE object is created, but that's not going to trip AV or EDR on its own.
[10:45.830 --> 10:52.790]  At the bottom, you can see VirusTotal looking at some very simple SAP macros that were created.
[10:53.050 --> 10:55.650]  Nothing is going to pick up on this.
[10:55.650 --> 11:13.150]  Yes, you don't have the same type of shell access that you would have otherwise, but you could potentially use this with some sort of SAP payload that, when executed, runs in the context of the user that's executing it, if single sign-on is enabled.
[11:13.770 --> 11:29.290]  SAP GUI scripting is something that almost every business relies on, but if you're following along at home, you probably are noticing that you're still going to need a hostname, a client number, maybe even a domain for sending this type of information on behalf of a user.
[11:29.290 --> 11:39.090]  You still have to know where the SAP systems are, which is not a huge problem if you're trying to get hostnames.
[11:39.090 --> 11:47.530]  SAP WebDispatcher is absolutely everywhere. It's regularly disclosing SAP hostnames, domain schemas, services, and patches.
[11:47.530 --> 12:02.970]  I rarely see it require authentication at all, but if it does require authentication, typically if you go from slash default.html to index.html, it bypasses authentication entirely.
[12:02.970 --> 12:12.670]  It will disclose the hostname, services, OS version, patches, and in my experience, very rarely requires auth at all.
[12:14.270 --> 12:21.030]  Yes, these services can be disabled, but you can also check at slash SAP slash public slash info.
[12:21.030 --> 12:33.730]  But if you're able to grab the hostnames of some of these machines that you're trying to target, you can pre-create SAP malicious GUI scripts or VBA macros.
[12:36.160 --> 12:45.980]  And there's just a quick screenshot of all the SAP NetWeaver ICM services that are potentially disclosing this information out of the web, and I guarantee you there are plenty more.
[12:47.400 --> 12:50.060]  Alright, so let's talk about grabbing some plain text credentials.
[12:50.060 --> 12:57.220]  If you can get shell access on an SAP user system, those same SAP GUI scripts we just discussed are also worth hunting for.
[12:57.220 --> 13:07.700]  Regularly they'll have hard-coded credentials, and there might be some fun backdooring or persistence opportunities for those scripts if single sign-on is not enabled.
[13:08.060 --> 13:10.860]  SAP uses what's called SNC for encryption.
[13:10.860 --> 13:27.160]  If you have shell access and you're able to find yourself in a man-in-the-middle type of position, you can use an SAP Wireshark Dissector plugin that will quickly look through and parse out passwords directly from SAP PCAPs.
[13:27.160 --> 13:32.720]  There's actually a Wireshark filter that does exactly that. Shout out to those guys who wrote this fantastic plugin.
[13:32.720 --> 13:41.560]  I use it somewhat regularly if I can find a way to man-in-the-middle the traffic between an SAP system and the user systems.
[13:48.170 --> 13:52.710]  A little bit of background on the user types that you might be able to collect.
[13:52.890 --> 13:56.610]  You may get access to dialogue or non-dialogue users.
[13:56.610 --> 13:59.830]  A dialogue user will allow you to just log in to SAP.
[13:59.830 --> 14:04.230]  You can kind of think of it the same way you would an Active Directory domain user account.
[14:04.230 --> 14:08.150]  And then similar to an Active Directory service user account, you have non-dialogue users.
[14:08.150 --> 14:11.910]  Those are users that cannot directly log in to SAP.
[14:11.910 --> 14:19.370]  Instead, they will execute RFCs or ABAP code externally and they can't log directly into the system.
[14:19.370 --> 14:29.490]  So if you do have access to a non-dialogue user, you may still be able to take advantage of some of the elevated rights that you have in that context.
[14:29.490 --> 14:35.910]  To kind of show that and prove that out, I wrote RFCpwn. I'm sure there's other tools that do the same thing.
[14:35.950 --> 14:38.350]  But this was the tool that I pulled together.
[14:40.610 --> 14:46.550]  You can see on the right-hand side, an impact style enumeration and exploitation tool.
[14:47.250 --> 14:54.530]  We have the IP, the client, a user, and a password that we were able to gain access to.
[14:54.530 --> 15:00.490]  And we're going to copy that user's rights into a dialogue user called SAPPrivUser.
[15:00.970 --> 15:06.670]  The script runs, collects those user privs, and moves them over to a brand new user.
[15:06.670 --> 15:09.250]  We can also run the flag tech dump.
[15:09.370 --> 15:16.010]  And that will give us all of the SHA hashes for an SAP system.
[15:16.010 --> 15:21.330]  So this is just a very quick proof of concept. I plan to make some updates to this tool here soon.
[15:21.850 --> 15:26.270]  Feel free to follow it. I plan to post something here in the next coming weeks.
[15:27.150 --> 15:32.370]  But really, this tool is designed to demonstrate the impact of compromising service accounts.
[15:32.590 --> 15:33.210]  Cool.
[15:33.670 --> 15:35.850]  So let's talk about cracking those hashes.
[15:36.150 --> 15:37.830]  B code is best code.
[15:38.750 --> 15:44.150]  There are three types of hashes you'll typically see as part of testing SAP systems.
[15:45.130 --> 15:49.390]  There are also SAP Secure Cred Store hashes, but we're not going to really talk about that.
[15:49.390 --> 15:51.390]  Those are better covered by other talks.
[15:51.390 --> 15:57.010]  What I'm really most excited to see is backward compatibility enabled for logons,
[15:57.010 --> 15:58.810]  which will mean that there's B code hashes.
[15:58.810 --> 16:04.250]  B code hashes will force every character to be uppercase,
[16:04.250 --> 16:07.570]  and it will truncate the password to eight characters.
[16:07.890 --> 16:10.010]  You might actually have a password that's much longer,
[16:10.010 --> 16:12.170]  but if you can crack the first eight with B code,
[16:12.170 --> 16:17.150]  and then maybe the last seven with a hashcat mask attack for a 15-character password,
[16:17.150 --> 16:24.130]  you can start cracking out very, very long admin passwords that would be difficult to crack otherwise.
[16:24.350 --> 16:29.930]  There's a lot of ways to gather those hashes via different table reading boppies,
[16:29.930 --> 16:36.470]  or even just accessing the USR02 table in SAP and exporting a CSV.
[16:37.930 --> 16:42.990]  On the bottom, you can see some of the hashcat codes to crack these passwords.
[16:42.990 --> 16:48.570]  In the back, you can see a simple mask attack that executed almost immediately,
[16:48.570 --> 16:55.090]  where we were attempting to crack out a B code hash using just a uppercase, uppercase, uppercase,
[16:55.090 --> 16:57.750]  eight-character password, which cracked out with password.
[16:58.430 --> 17:02.850]  And then on the right-hand side, you can kind of see what it would look like to pull these out of USR02.
[17:02.850 --> 17:05.530]  There are also scripts that will pull these exact same tables.
[17:06.370 --> 17:10.990]  And if you're trying to grab similar hashes, you can do that inside of rcpwn as well.
[17:11.490 --> 17:15.450]  But B code is the best code. That is definitely what I'm looking for.
[17:15.630 --> 17:21.610]  And I regularly see, because it is required for supporting older kernel versions of SAP,
[17:21.610 --> 17:26.950]  I think anything before 7.0, you have to be supporting B code.
[17:30.650 --> 17:35.050]  Code execution. So everybody loves code execution.
[17:35.050 --> 17:38.710]  So we have hashes, we have access into SAP, but everybody wants shells.
[17:39.530 --> 17:45.110]  If you're new to SAP, SAP comes with this handy T code called se38.
[17:45.230 --> 17:51.930]  And there's a transaction that you can run called rsbdcos0.
[17:51.930 --> 17:55.410]  You run that report, it will give you a very basic shell.
[17:55.410 --> 18:00.050]  And you can cat out etc password and run some very standard commands.
[18:00.050 --> 18:07.310]  But if you want to go above and beyond, and you want to find your own commands and run pretty much anything you want,
[18:07.310 --> 18:11.510]  sm69 is the way you want to go. That is another T code within SAP.
[18:12.230 --> 18:17.710]  It's a little finicky to get a reverse shell or netcat out shell.
[18:17.710 --> 18:23.130]  A simple fix that works for me is to curl over a one-liner name pipe reverse shell.
[18:23.370 --> 18:28.410]  And after pulling that over, you can execute it as a custom transaction.
[18:28.410 --> 18:34.370]  This is a very loud attack, right? You're going to show up as a brand new program type within this table.
[18:34.370 --> 18:38.530]  But if you're looking for a shell, this may be a way to get access.
[18:38.530 --> 18:41.470]  So we've got a quick video of kind of what that looks like.
[18:41.470 --> 18:45.530]  On the right-hand side, you have a transaction that I've created here.
[18:45.530 --> 18:50.250]  I'm just executing the script that I just curled into the standard directory.
[18:51.830 --> 18:58.490]  I'm not listening yet, so we ran it once, not listening, come back up, run it again, and we've got a shell.
[19:05.380 --> 19:08.160]  All right, and lastly, we're going to talk a little bit about fuzzing SAP.
[19:08.160 --> 19:13.020]  Just some things that I've seen work. Redamsa has been very, very successful in fuzzing SAP in the past.
[19:13.020 --> 19:20.140]  You can see a few ERP scan security researchers who have found vulnerabilities using it back in 2016, 2017.
[19:21.320 --> 19:26.780]  Using that same framework, I like to use Cisco Mutiny, which leverages part of Redamsa
[19:26.780 --> 19:32.760]  and automates a lot of the process of extracting potential fuzzers, creating the fuzzer,
[19:32.760 --> 19:39.260]  and then being able to do fuzz cases all based off of just some PCAPs that you can pull out of Wireshark.
[19:39.560 --> 19:42.120]  And then you can, of course, use that Wireshark dissector that we talked about
[19:42.120 --> 19:50.040]  and begin to understand what exactly is being fuzzed, how it's being fuzzed, and dive deeper into the binary.
[19:50.900 --> 19:55.520]  And to that end, one of the things that I've been finding kind of interesting,
[19:55.520 --> 19:59.140]  and I haven't seen a ton of success with it yet, but I'm really excited about it,
[19:59.140 --> 20:04.160]  is this Voln Fanatic plugin for Binary Ninja that will go out, look for sources and syncs,
[20:04.160 --> 20:07.760]  and start highlighting parts of the code inside of the control flow graph
[20:07.760 --> 20:17.260]  and maybe show you where a potential buffer overflow from a memcpy or a scanf could be happening within the binary itself.
[20:17.260 --> 20:20.840]  So on the right-hand side, you've got the HANA database index server
[20:20.840 --> 20:27.440]  and some potential buffer overflows up at the top that Voln Fanatic believes that it's identified.
[20:27.440 --> 20:35.020]  And then lastly, I'm just going to release an old POC that I had for a crash inside of the HANA database server
[20:35.020 --> 20:37.820]  that affected every version up until last August.
[20:37.820 --> 20:42.000]  So if you haven't patched since this time last year, consider patching,
[20:42.000 --> 20:46.680]  but hopefully somebody can find it useful or at least kick some tires for somebody.
[20:49.060 --> 20:52.340]  So those of you with a red teaming background or a pen testing background
[20:52.340 --> 20:56.160]  have definitely touched ImpactKit or a tool that's built off of ImpactKit.
[20:57.000 --> 20:59.840]  Similar, but for SAP is PySAP.
[20:59.840 --> 21:03.840]  It's a library for crafting SAP network packets built off of SCAPI.
[21:04.280 --> 21:07.520]  Martin maintains this. He does a fantastic job.
[21:07.520 --> 21:09.660]  He has a ton of example scripts.
[21:10.080 --> 21:14.280]  Strongly, strongly recommended for trying to craft SAP fuzzers.
[21:15.240 --> 21:19.180]  The hdboff module is something that recently got pushed out.
[21:19.180 --> 21:22.060]  I'm super excited to try that out on my own.
[21:22.060 --> 21:24.800]  One of my favorites, and you can see it on the right-hand side,
[21:24.800 --> 21:28.120]  is this msdumpparam example module
[21:28.120 --> 21:32.300]  that will tell you some of the potentially sensitive settings
[21:32.300 --> 21:34.880]  that may or may not be enabled.
[21:35.300 --> 21:38.940]  If you look at the right-hand side, some of those have exclamation points.
[21:38.940 --> 21:40.120]  And if we look down toward the bottom,
[21:40.120 --> 21:44.560]  we can see login password downwards compatibility is set to zero.
[21:44.560 --> 21:46.040]  Now that would be a good thing.
[21:46.260 --> 21:50.640]  But bear in mind, this is just the operating config,
[21:50.640 --> 21:52.720]  not necessarily the running config.
[21:52.800 --> 21:54.920]  So even if it says zero here,
[21:54.920 --> 21:58.700]  there's a potential that downwards compatibility is enabled
[21:58.700 --> 22:00.700]  in something like RZ11.
[22:00.840 --> 22:02.760]  We won't get into too much of that here.
[22:02.760 --> 22:04.900]  The nuances, just because it's marked there
[22:04.900 --> 22:06.900]  as downward compatibility disabled
[22:06.900 --> 22:10.900]  doesn't mean it's actually disabled in the running system.
[22:12.180 --> 22:16.200]  And if that is disabled, you might not get B code hashes,
[22:16.200 --> 22:18.660]  but maybe you'll get B code hashes because somebody's gone
[22:18.660 --> 22:20.760]  and made that adjustment in the running config.
[22:20.880 --> 22:24.620]  And somebody's logged in or changed their password with that enabled.
[22:25.600 --> 22:28.880]  Further, there's a ton of different protocols that this is supported.
[22:29.500 --> 22:32.320]  Just if you're going to do any sort of packet crafting,
[22:32.320 --> 22:37.700]  this is a strongly recommended tool for fuzzers or for SAP research.
[22:37.840 --> 22:41.440]  And I use a lot of these tools in my pen testing,
[22:41.440 --> 22:45.820]  in addition to some of the standard modules you see inside of something like Metasploit.
[22:46.000 --> 22:46.940]  Cool.
[22:47.700 --> 22:49.680]  All right, so what did we cover?
[22:49.680 --> 22:53.220]  New fangled SAP vulns, how to target SAP users,
[22:53.220 --> 22:55.820]  and which SAP users I would personally target,
[22:55.820 --> 23:00.400]  gathering cleartext credentials, code execution as non-dialogue users,
[23:00.400 --> 23:04.040]  fuzzing SAP as a target, and the PySAP library.
[23:05.020 --> 23:09.260]  Some shoutouts to some fantastic researchers, friends,
[23:09.260 --> 23:13.600]  people that I look for additional research from.
[23:13.600 --> 23:15.940]  These are all fantastic SAP researchers.
[23:15.940 --> 23:18.320]  I strongly recommend following each and every one of them.
[23:18.420 --> 23:21.200]  And then on the right-hand side, you have my Twitter and Discord.
[23:21.200 --> 23:23.940]  Feel free to reach out based on this talk, ask questions,
[23:23.940 --> 23:27.020]  and I'd love to hear from you, collab on some stuff.
[23:27.500 --> 23:31.060]  SAP is definitely an area of growing interest over the last couple of years,
[23:31.060 --> 23:32.620]  and I think it'll continue to be.
[23:33.740 --> 23:36.560]  And with that, we can turn it over for Q&A.
[23:37.420 --> 23:41.060]  I will be in the chat, so feel free to drop me questions there.
[23:41.160 --> 23:43.680]  This is prerecorded just a little bit beforehand,
[23:43.680 --> 23:46.720]  so it's still very fresh, but drop me questions,
[23:46.720 --> 23:51.020]  and I'll be sure to get back to you quickly in the Red Team Village Discord channel.
[23:52.060 --> 23:53.000]  And thank you for coming!
